Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Motivation Mystery Behind WannaCry, ExPetr

A shift in APT tactics is emerging as characterized by the destructive ExPetr attacks hidden in ransomware, and WannaCry, which also failed to turn a profit.

If two is a coincidence and three is a trend, maybe we’re not quite there yet in officially calling WannaCry and ExPetr a new movement among APT attacks. But for now, it’s close enough.

Researchers are starting to examine the real motivations behind each global outbreak and whether these attacks truly signal a shift of direction in nation-state tactics.

Cisco’s Midyear Cybersecurity Report seems to point in that direction, saying that attackers have destructive campaigns at scale in the works and that weakly protected and vulnerable connected devices are going to be vehicle for these attacks.

Kaspersky Lab, meanwhile, compared WannaCry and ExPetr side-by-side—both of which were spread entirely or in-part by the leaked NSA exploit EternalBlue—and warned that ransomware attacks are a pretty good shield for destructive attacks.

“One APT was rushed, opportunistic, not as technically capable as the other, while the other APT was practical, agile, and focused,” Kaspersky Lab concluded about its WannaCry-ExPetr tale-of-the-tape. “But we are at the start of a trend emerging for this unusual tactic: APT camouflage destructive targeted activity behind ransomware.”

ExPetr took that route, spreading ransomware that really wasn’t profit-motivated malware. Errors in the code prevented recovery of data encrypted by the malware, which in concert with the actions of a German email host that shut down the attacker’s email address left victims up a creek.

It didn’t take long for researchers to conclude that ExPetr was instead a cloaked wiper attack foisted upon organizations in Ukraine primarily. Computers that were compromised by the malware had their Master Boot Record overwritten, rendering those machines lost forever, researchers said, adding that these were acts of sabotage and that collecting a few hundred dollars in Bitcoin from each victim was the furthest thing from the attackers’ minds.

The difference between ExPetr and Shamoon, Destover or Black Energy is that those destructive attacks were much more aggressive and straightforward, Kaspersky Lab said.

“These components were all wiper technology, delivered in a very intentional and destructive manner. It’s interesting that these spectacles all coincided with large political events and interests,” Kaspersky Lab researchers said. “So this new need to cloak their destructive activity or sabotage is an interesting shared change in tactics.”

WannaCry’s well-documented killswitch was an odd choice to include in the ransomware, something that researchers still haven’t completely figured out. Kaspersky Lab said it shared private reports with subscribing customers that indicate the attackers behind WannaCry also used spearphishing emails with links to files hosted at file-sharing services. The alleged resumes and job inquiries were instead executable files that installed droppers and downloaders that were later used to install WannaCry. The attackers, alleged to be North Korea’s Lazarus Group, did not attempt to collect the Bitcoin paid to recover files, nor did they enhance any development in the malware with features intent to turning a profit.

“This sort of inexpensive, two month long activity also may tell us a bit about the actor, their capabilities, and their interests — slow, practical, and somewhat hiding their interests in a very odd way,” Kaspersky Lab said.

Cisco’s report, meanwhile, focused more on the co-opting of IoT devices in large-scale attacks. The Dyn DDoS attacks of last fall showed the way, Cisco postulates, and now empowered by ExPetr, more may be on the way.

“There are signs that new types of attacks—more sinister and destructive than campaigns of the past—are in development. Adversaries are devising high-impact, wellplanned attacks that are designed to prevent any organization, big or small, from operating,” Cisco said. “They know that no business has a contingency plan that outlines how to rebuild all their IT or OT from scratch, and they are determined to use that weakness to their advantage.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.